Date: 04 April 2007
References: ESB-2007.0216 ESB-2007.0217 ESB-2007.0223 ESB-2007.0224 AL-2007.0049 ESB-2007.0342 ESB-2007.0365
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2007.0040 -- AUSCERT ALERT
[UNIX/Linux]
Several critical vulnerabilities in MIT Kerberos
4 April 2007
===========================================================================
AusCERT Alert Summary
---------------------
Product: kadmin
KDC
telnetd
Publisher: MIT Kerberos
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2007-0956 CVE-2007-0957 CVE-2007-1216
Original Bulletin:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt
Comment: This alert contains three advisories detailing critical
vulnerabilities in MIT Kerberos.
Third party applications linked with the MIT Kerberos libraries
may also be vulnerable.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MIT krb5 Security Advisory 2007-001
Original release: 2007-04-03
Last update: 2007-04-03
Topic: telnetd allows login as arbitrary user
Severity: CRITICAL
CVE: CVE-2007-0956
CERT: VU#220816
SUMMARY
=======
The MIT krb5 telnet daemon (telnetd) allows unauthorized login as an
arbitrary user, when presented with a specially crafted username.
Exploitation of this vulnerability is trivial.
This is a vulnerability in an application program; it is not a bug in
the MIT krb5 libraries or in the Kerberos protocol.
IMPACT
======
A user can gain unauthorized access to any account (including root) on
a host running telnetd. Whether the attacker needs to authenticate
depends on the configuration of telnetd on that host.
AFFECTED SOFTWARE
=================
* telnetd in all releases of MIT krb5, up to and including krb5-1.6
FIXES
=====
* The upcoming krb5-1.6.1 release will contain a fix for this
vulnerability.
Prior to that release you may:
* disable telnetd
or
* apply the patch
This patch is also available at
http://web.mit.edu/kerberos/advisories/2007-001-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2007-001-patch.txt.asc
*** src/appl/telnet/telnetd/state.c (revision 19480)
- - --- src/appl/telnet/telnetd/state.c (local)
***************
*** 1665,1671 ****
strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
strcmp(varp, "NLSPATH") && /* locale stuff */
strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! strcmp(varp, "IFS")) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
- - --- 1665,1672 ----
strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
strcmp(varp, "NLSPATH") && /* locale stuff */
strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! strcmp(varp, "IFS") &&
! !strchr(varp, '-')) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
*** src/appl/telnet/telnetd/sys_term.c (revision 19480)
- - --- src/appl/telnet/telnetd/sys_term.c (local)
***************
*** 1287,1292 ****
- - --- 1287,1302 ----
#endif
#if defined (AUTHENTICATION)
if (auth_level >= 0 && autologin == AUTH_VALID) {
+ if (name[0] == '-') {
+ /* Authenticated and authorized to log in to an
+ account starting with '-'? Even if that
+ unlikely case comes to pass, the current login
+ program will not parse the resulting command
+ line properly. */
+ syslog(LOG_ERR, "user name cannot start with '-'");
+ fatal(net, "user name cannot start with '-'");
+ exit(1);
+ }
# if !defined(NO_LOGIN_F)
#if defined(LOGIN_CAP_F)
argv = addarg(argv, "-F");
***************
*** 1377,1387 ****
} else
#endif
if (getenv("USER")) {
! argv = addarg(argv, getenv("USER"));
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
argv = addarg(argv, *cpp);
}
#endif
- - --- 1387,1405 ----
} else
#endif
if (getenv("USER")) {
! char *user = getenv("USER");
! if (user[0] == '-') {
! /* "telnet -l-x ..." */
! syslog(LOG_ERR, "user name cannot start with '-'");
! fatal(net, "user name cannot start with '-'");
! exit(1);
! }
! argv = addarg(argv, user);
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
+ if ((*cpp)[0] != '-')
argv = addarg(argv, *cpp);
}
#endif
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVE: CVE-2007-0956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0956
CERT: VU#220816
http://www.kb.cert.org/vuls/id/220816
ACKNOWLEDGMENTS
===============
This vulnerability was found when attempting to confirm the absence of
a related vulnerability in the Solaris telnetd. [CVE-2007-0882]
DETAILS
=======
The MIT krb5 telnet daemon fails to adequately check the provided
username. A malformed username beginning with "-e" can be interpreted
as a command-line flag by the login.krb5 program, which is executed by
telnetd. This causes login.krb5 to execute part of the BSD rlogin
protocol, where an arbitrary username may be injected, allowing login
as that user without a password or any further authentication.
If the telnet daemon is configured to only permit authenticated login,
then only authenticated users can exploit this vulnerability.
REVISION HISTORY
================
2007-04-03 original release
Copyright (C) 2007 Massachusetts Institute of Technology
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
iQCVAwUBRhKVRabDgE/zdoE9AQIzPAQAj8a7ShfHXVVMOPQhEyoN/Ydnalnfa2xE
cl7UXFSjmkexalD+rymL0upLFw7EVgnYrVazc+AUhDLt1AZmCl5Lj2+WAcl1QYPu
fEGm2SFaS4Eda6NRb6xZ4BeY8zfRWFN2G8Bb5krpGj+oEX/c3Xg8O4oUyiJBYBQi
TXhryamn6Yw=
=aE5C
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MIT krb5 Security Advisory 2007-002
Original release: 2007-04-03
Last update: 2007-04-03
Topic: KDC, kadmind stack overflow in krb5_klog_syslog
Severity: CRITICAL
CVE: CVE-2007-0957
CERT: VU#704024
SUMMARY
=======
The library function krb5_klog_syslog() can write past the end of a
stack buffer. The Kerberos administration daemon (kadmind) as well as
the KDC, are vulnerable. Exploitation of this vulnerability is
probably simple.
This is a vulnerability in the the kadm5 library, which is used by the
KDC and kadmind, and possibly by some third-party applications. It is
not a bug in the MIT krb5 protocol libraries or in the Kerberos
protocol.
IMPACT
======
An authenticated user may be able to cause a host running kadmind to
execute arbitrary code.
An authenticated user may be able to cause a KDC host to execute
arbitrary code. Also, a user controlling a Kerberos realm sharing a
key with the target realm may be able to cause a KDC host to execute
arbitrary code.
Successful exploitation can compromise the Kerberos key database and
host security on the host running these programs. (kadmind and the
KDC typically run as root.) Unsuccessful exploitation attempts will
likely result in the affected program crashing.
Third-party applications which call krb5_klog_syslog() may also be
vulnerable.
AFFECTED SOFTWARE
=================
* MIT krb5 releases through krb5-1.6
FIXES
=====
* The upcoming krb5-1.6.1 release will contain a fix for this
vulnerability.
Prior to that release you may:
* apply the patch
The patch is available at
http://web.mit.edu/kerberos/advisories/2007-002-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2007-002-patch.txt.asc
Systems which definitely provide vsnprintf() may not need the entire
patch; see "DETAILS".
Please note that releases prior to krb5-1.5 will require additional
changes to the configure script src/lib/kadm5/configure in order to
correctly detect the presence of vsnprintf(). krb5-1.5 and later
releases already check for vsnprintf() in the top-level configure
script, and do not have a separate src/lib/kadm5/configure script.
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVE: CVE-2007-0957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0957
CERT: VU#704024
http://www.kb.cert.org/vuls/id/704024
ACKNOWLEDGMENTS
===============
We thank iDefense Labs for notifying us of this vulnerability.
iDefense credits an anonymous discoverer.
DETAILS
=======
krb5_klog_syslog() uses vsprintf() to format text into a fixed-length
stack buffer. Format specifiers such as "%s" used in calls to
krb5_klog_syslog() may allow formatting of strings of sufficient
length to overwrite memory past the end of the stack buffer.
Certain strings received from the client by the kadmin daemon are not
truncated prior to logging. Among these strings is the target
principal for the kadmin operation.
The KDC truncates most client-originated strings prior to logging.
One sort of string which is not truncated is a transited-realms
string. A malicious KDC sharing a key with the target realm may issue
tickets with specially-crafted transited-realms strings to exploit
this vulnerability. There are other places where an authenticated
user may cause the KDC to log a string which triggers the
vulnerability.
On a system where vsnprintf() is confirmed to be available, the
patches to files other than src/lib/kadm5/logger.c may not be
necessary to prevent a buffer overflow; these patches are still useful
to prevent malicious users from causing vsnprintf() to obliterate
useful log information by means of truncation.
REVISION HISTORY
================
2007-04-03 original release
Copyright (C) 2007 Massachusetts Institute of Technology
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
iQCVAwUBRhKVS6bDgE/zdoE9AQJlZgQAq/IvVdpkf3VNViwuZaAJ31+mqq17gKqX
9DkxkvpPD2b5/8N/ouywP/ODCpYpT9Y+mU+Cw/hEfL2otv/o1HJcV7CXPRCEFODs
YKpi2Sahcxs+jl1ZQfsY63oay6urZ0PTcrZTFQuqOv8B0wVd0XUwrSkBLejZszL3
YUFR4W+wtbg=
=GsBC
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MIT krb5 Security Advisory 2007-003
Original release: 2007-04-03
Last update: 2007-04-03
Topic: double-free vulnerability in kadmind (via GSS-API library)
Severity: CRITICAL
CVE: CVE-2007-1216
CERT: VU#419344
SUMMARY
=======
The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
a double-free attack in the RPCSEC_GSS authentication flavor of the
RPC library, which itself results from a bug in the GSS-API library.
Under some error conditions, the krb5 GSS-API mechanism can free a
buffer which an application may then free again. This may result in
arbitrary code execution. Third-party applications using the GSS-API
library provided with MIT krb5 may also be vulnerable.
Exploitation of double-free bugs is believed to be difficult.
This is a bug in the GSS-API library included with MIT krb5, which is
used by kadmind and by some third-party applications. It is not a bug
in the Kerberos protocol.
IMPACT
======
An authenticated user may be able to cause a host running kadmind to
execute arbitrary code.
Successful exploitation can compromise the Kerberos key database and
host security on the host running these programs. (kadmind and the
KDC typically run as root.) Unsuccessful exploitation attempts will
likely result in the affected program crashing.
Third-party applications calling either the RPC library or the GSS-API
library provided with MIT krb5 may be vulnerable.
AFFECTED SOFTWARE
=================
* kadmind from MIT releases krb5-1.4 through krb5-1.6
* third-party applications calling the RPC library included in MIT
releases krb5-1.4 through krb5-1.6
* kadmind and third-party applications calling the RPC library in MIT
releases earlier than krb5-1.4 may not be vulnerable because the
RPCSEC_GSS authentication flavor was not implemented in those RPC
libraries.
* third-party applications calling the GSS-API library included in any
MIT krb5 releases, up to and including krb5-1.6, if the application
handles GSS-API errors in a certain way
FIXES
=====
* The upcoming krb5-1.6.1 release will contain a fix for this
vulnerability.
Prior to that release you may:
* apply the patch
Note that releases prior to krb5-1.3 will require a different patch
due to an additional related vulnerability in the same file.
This patch is also available at
http://web.mit.edu/kerberos/advisories/2007-003-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2007-003-patch.txt.asc
*** src/lib/gssapi/krb5/k5unseal.c (revision 19510)
- - --- src/lib/gssapi/krb5/k5unseal.c (revision 19511)
***************
*** 457,464 ****
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
! if (toktype == KG_TOK_SEAL_MSG)
xfree(token.value);
*minor_status = G_BAD_DIRECTION;
return(GSS_S_BAD_SIG);
}
- - --- 457,467 ----
if ((ctx->initiate && direction != 0xff) ||
(!ctx->initiate && direction != 0)) {
! if (toktype == KG_TOK_SEAL_MSG) {
xfree(token.value);
+ message_buffer->value = NULL;
+ message_buffer->length = 0;
+ }
*minor_status = G_BAD_DIRECTION;
return(GSS_S_BAD_SIG);
}
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVE: CVE-2007-1216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1216
CERT: VU#419344
http://www.kb.cert.org/vuls/id/419344
ACKNOWLEDGMENTS
===============
This bug was found while exercising the GSS-API library using the
GSSTEST test program provided by SAP AG.
Shiva Persaud of IBM alerted us to an ambiguity in the wording of a
draft of this advisory.
DETAILS
=======
The kg_unseal_v1() function in src/lib/gssapi/krb5/k5unseal.c frees
memory allocated for the "message_buffer" gss_buffer_t when it detects
an invalid direction encoding on the message. It does not set the
pointer to NULL, nor does it set the length to zero. An application
subsequently calling gss_release_buffer() on this gss_buffer_t will
cause memory to be freed twice.
Much code provided with MIT krb5 does not attempt to call
gss_release_buffer() when gss_unseal() or gss_unwrap() fails, even
though the GSS-API C-bindings specification permits it to do so. The
RPCSEC_GSS authentication flavor for the RPC library, introduced in
krb5-1.4, does call gss_release_buffer() when gss_unwrap() fails.
This allows an authenticated attacker to trigger a double-free
situation.
Third-party applications calling the RPC library provided with MIT
krb5 and using the RPCSEC_GSS authentication flavor are vulnerable.
Third-party applications calling the MIT GSS-API library are
vulnerable if they call gss_release_buffer() when they experience
errors from gss_unseal() or gss_unwrap().
REVISION HISTORY
================
2007-04-03 original release
Copyright (C) 2007 Massachusetts Institute of Technology
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
iQCVAwUBRhKVU6bDgE/zdoE9AQJS0gP/fieb8glCvyZHOiJkVRGGbtzzSPC2RcHN
IkuF+aJo+KaKSFE+aKjce6Yx8jbOeqXx6CJe6UivGwXr1yyp31dh4B92N+3kMJlk
bsNlmNJOg2iOAo+YTINokfIwsYZSWcAv1UVjhTYlev0sn9IdI/a1NNhNpIvkSDg0
NdPwbLy4wi8=
=MwHB
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRhMqHSh9+71yA2DNAQJS+QP+JmSKoOsFHATS+eeZB+dpEauc3bzWH/2J
cpDR2e6fVOLxy8PW/trNNZIeXEilVOiLZL7je+kvlvGSUQmEi1VQLMFHLIc23TvS
zYJxdyYlHvQqrN7GrQWBEsfjeLADGJAEXKwTcWOPgKbG6QVwyC+HcXkuzuaecMoF
B6sWnhRiAr8=
=KL0v
-----END PGP SIGNATURE-----
|